Incident Response: Jumpbag

Incident Response: Jumpbag

When incident happens, the time required to respond should be as low as possible. Every minute wasted can mean another threat artifact lost or more damage done by attackers. Therefore, your incident response jump bag needs to be always ready and packed with all the software and hardware you might need.  

The core part of every incident response jump bag is a forensic laptop preloaded with necessary forensic software. It should have a powerful, >=35W TDP CPU and enough memory for rapid imaging and comfortable analytics.  

Digital Forensics 

Containing a threat or an event is the first step in the mind of cyber professionals, but gathering information and evidence to pursue legal action typically follows immediately afterward. Our Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience. 

The second most important components are drives and various drive-related tools. You should have a flash drive with hardware write-blocker and write-blockers for internal drives. The former is for deploying live response tools and the latter for aforensically sound image acquisition For drive acquisition, you need clean drives with at least the same capacity as the acquired drives. Try to gather as much information as possible about the affected systems and their storage configuration. You will get a better sense of many hard drives you need to take. 

Nowadays, drives come in different shapes and with different connectors. You need to be ready even for the less common connectors, such as PCI Express drives with M.2 or U.2 connectors or external Thunderbolt drives.  

Do not forget about protection of the sensitive electronics, such as internal drives, from physical damage. Make sure you have safe compartments for hard drives, anti-static bags, and an antistatic wrist strap. Also be sure that you have all the screwdriver types you need. Some manufacturers utilize less common screw drives which are not included in most screwdriver kits. Buying a specialized toolkit with all the screw drives used in computers and tools like sim ejectors, plastics tips and tweezers is recommended. 

Finally, always carry multiple copies of all the paperwork, including chain of custody documents, and a camera for the necessary photo documentation. 

The jump bag should be used for alI incident Response: a kit ready for immediate use in case your attention is needed for onsite incident response. You should re-stock the contents of the bag after each use and seal it, so all incident responders know that the bag is ready to take.